Tencent Bug Bounty Program
Tencent is a world-leading internet and technology company that develops innovative products and services to improve the quality of life of people around the world.
Reward
Program
Hacktivity
Bounty Policy
Tencent looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. If you believe you have discovered a vulnerability, kindly disclose to us responsibly via the Tencent Security Response Centre (TSRC).
Important: Report submitted directly though the platform YesWeHack will not be reviewed. They will be closed automatically as “RTFS”
Rules of Engagement
The classification of a vulnerability (Critical, High, Moderate or Low as described below), whether a product or application is in scope of the bounty program and its classification (core, important, and other in-scope), and whether to grant a monetary reward and its amount will be within the sole discretion of the Tencent Security Team, based on a number of factors including, without limitation, quality of the report, severity of the vulnerability, reproducibility of the vulnerability, its impact on our users and other products and services, ease of exploitation and many other factors.
Any design or implementation issue that is reproducible and substantially affects the security of Tencent users is likely to be in scope for the program.
However, only reports that meet the following requirements are eligible to receive a monetary reward:
- You must be above the age of 13. If you are between the ages of 13 and 18 (or the relevant age in your jurisdiction where you are considered a minor), your parent or guardian must agree to the Agreement (both for themselves and on your behalf) before you can submit reports.
- You must be the first reporter of the vulnerability (whether you are the first reporter is determined by us in our discretion and we are not obligated to share with you details related to prior reports).
- Your report must be your own work, and you have not used information owned by another person or entity.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. - Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- The vulnerability must demonstrate security impact to a site or application in scope (see Scope below)
- Accessing private information of other users, performing actions that may negatively affect Tencent users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in additional steps being taken. You must comply with applicable laws and regulations, including applicable privacy laws, with respect to your disclosure and access of data.
- When testing, you must only use and only interact with your own test accounts in order to respect our users’ privacy, especially those which may compromise the privacy of others. You will not interact with another user’s account without that user’s prior written consent (which you will make available to us upon our request).
- Vulnerability Disclosure:
- It is strictly forbidden to publicly disclose the vulnerability prior to the report being closed by us, the vulnerability being fixed and you receiving a written authorization from us.
- The disclosure and the content of the disclosure should be under the authorization of TSRC. Please take note that any form of vulnerability disclosure prior to consent from Tencent may result in disqualification from the Bounty program.
- Feel free to contact us if you have any questions.
- We are prohibited from rewarding you (such as when you are subject to trade sanctions, embargoes or denied person status).We are unable to issue rewards to individuals employed by Tencent or its subsidiaries.
In-Scope Assets
Products, services and applications distributed and made available in any form by or on behalf of Tencent and described in “Core Products” and “Other In-Scope Products” below are in scope. For more information about our products and services, please visit https://www.tencent.com/en-us/business.html
1. Core Products
- WeChat (Android, iOS, WinPC, Mac)
- WeChat instant messaging function
- WeChat login/ticket
- WeChat address book
- WeChat Moments
- WeChat Official Account
- WeChat Mini Program main framework API
- WeCom (Android, iOS, WinPC, Mac)
- Tencent Exmail main domain (.exmail.qq.com)
- WeCom management background
- WeCom address book
- WeCom instant messaging function
- QQ mail main domain (.mail.qq.com)
- WeCom basic core functions (WeCom instant messaging function, enterprise payment, session content archive, Weiyun, document, fusion meeting, WeCom Moments)
- WeCom Sensitive information, such as enterprise address book list, login/ticket
- WeChat payment function (excluding services recommended on the payment guide page grid)
- WeChat wallet
- WeChat Pay independently-developed face recognition device
- WeChat Pay independently-developed palm recognition device
- WeChat payment merchant platform (including domestic and overseas)
- WeChat Credit card repayment
- Tenpay
- LiCaiTong
- Tencent mobile top-up (chong.qq.com)
- Tencent Portfolio (腾讯自选股)
- King of Glory mobile game
- Game for Peace mobile game
- Tencent Games Joy Club
- jiazhang.qq.com (成长守护平台)
- QQ client (Android, iOS, WinPC, Mac)
- QQ basic core functions (such as instant messaging function, user profile, login/ticket, etc.)
- QQ wallet (excluding services recommended on the wallet guide page grid)
- doc.qq.com (excluding third-party plug-ins)
- Tencent Video main website and mobile APP (Android, iOS)
- Voov Meeting
- Tencent Cloud (computing/container and middleware/storage/network and CDN/security)
- Tencent PC Manager/Tencent Mobile Manager
- DNSPOD
2. Other In-Scope Products
It includes the majority of Tencent's products and businesses, such as Tencent Game Helper (腾讯游戏助手), Tencent Ride Code Mini Program(腾讯乘车码小程序), QQ Music and other products, including but not limited to mobile applications, clients, mini programs, web sites, hardware, IoT, server services, and other product models.
3. Notes about Tencent Cloud (cloud.tencent.com as included in *.tencent.com)
Only vulnerabilities affecting the platform itself and IP owned by Tencent will be accepted. If an IP belongs to Tencent Cloud external customer, it is not considered in scope.
Out-of-Scope Assets
Please note that the vulnerabilities reported for the following assets will not be eligible for bounties.
- *.qzoneapp.com
- *. myqcloud.com
- Third-party applications and websites
Rewards
Scope | Critical Severity Vulnerability | High Severity Vulnerability | Moderate Severity Vulnerability | Low Severity Vulnerability |
---|---|---|---|---|
Core assets | $1,865-6,425 | $585-780 | $75-130 | $15-32 |
Other in-scope assets | $1,225-1,827 | $390-520 | $40-65 | $8-17 |
Rewards are stated in USD.
Severity Rating | Example |
---|---|
Critical | Vulnerabilities that directly obtain permissions (limited to Tencent's server permissions and core product client permissions). This includes but is not limited to remote arbitrary command execution, uploading webshells, etc. |
Vulnerabilities that directly lead to serious information leakage, limited to platforms such as WeChat, QQ, QZone, King of Glory, and platforms of the same scale, involving information that can affect the security of user identity information. | |
Logical vulnerabilities that directly cause serious impact. This includes but is not limited to sending messages to other users via spoofed QQ/WeChat account, and vulnerabilities that permit resetting passwords of other user's QQ/WeChat account. If the vulnerability can only pop up harassment and cannot specify readable content, it is not applicable to be classified as a critical vulnerability. | |
Vulnerabilities that directly affects cash. It must meet the conditions of direct withdrawal without utilization restrictions, and the affected amount exceeds RMB100,000. | |
High | Vulnerabilities that can directly steal user identity information. This includes stored XSS (little interaction and easy to spread, can affect a large number of users) in QZone, QQ Mail, WeCom Mail, Web WeChat, and WeChat Official Account products, and SQL injection vulnerabilities that can read database table field names on Tencent business sites. |
Vulnerabilities allowing unauthorized access to the management platform and use of administrator functions, including sensitive management back end login; the number of active users, number of users (with no less than a thousand users), functional importance, and sensitivity of user information on related platforms will be used as the rating criteria for high-risk vulnerabilities. | |
High-risk information leakage vulnerabilities. This includes directly exploitable sensitive data leaks, vulnerabilities that can cause a large number of user identity information leaks on the site or directly pose high risk to business. It leaks at least three sensitive information fields, affecting more than 10,000 users; If not met, the rating will be evaluated according to the actual situation (sensitive information fields refer to real name, ID card number, address, contact information (mobile phone, WeChat, QQ), bank card number, complete transaction information, medical information, etc.). | |
Vulnerabilities that can directly obtain client permissions remotely. This includes remote command execution, exploitable remote buffer overflow, exploitable browser use-after-free vulnerabilities, remote kernel code execution vulnerabilities, and other remote code vulnerabilities caused by logical problems. | |
SSRF vulnerabilities that can directly access Tencent's intranet and fully echo (it needs to be proved that the vulnerability point can indeed access the intranet, and no scanning of intranet services is allowed. In addition, SSRF is uniformly scored according to the key business. | |
XSS in core client products that can obtain sensitive information or perform sensitive operations. | |
Unauthorized use of other people's identities to perform all functions. | |
Beyond business and product expectations, a single user can arbitrarily obtain virtual goods with cash value, affecting at least RMB5,000. | |
Arbitrary file read and write vulnerabilities, including COS arbitrary file read and write and overwrite vulnerabilities that can be performed on the entire site used by the business | |
Moderate | Vulnerabilities that require interaction to obtain user identity information. This includes but is not limited to stored XSS, reflected XSS, DOM-XSS, and CSRF for important sensitive operations. |
Remote application denial of service vulnerabilities (without interaction), kernel denial of service vulnerabilities, and XSS in client products that can obtain sensitive information or perform sensitive operations. | |
Ordinary information leakage vulnerabilities. This includes plaintext storage of passwords on the client, plaintext transmission of QQ passwords, and leakage of source code compression packages containing sensitive information. | |
Subdomain hijacking of qq.com and tencent.com. | |
OAuth login or binding hijacking that requires clicking on a link to interact. | |
SSRF vulnerabilities that can directly access Tencent's intranet but have no echo. | |
Arbitrary code execution on the local machine. | |
The leakage of WeChat mini program‘s key , if unable to prove that partially harmful APIs can be exploited, such as sending customer service messages, calling Tencent Cloud API write operations, etc., the rating will not exceed [Moderate]. | |
Non-critical single interface authorization vulnerabilities will not exceed [moderate]. | |
Low | Vulnerabilities that can only obtain user identity information in specific non-popular browser environments. |
Vulnerabilities that result in leakage of small amount of low-impact information. | |
URL redirection. | |
Unrestricted SMS bombing vulnerability. | |
Issues that are difficult to exploit but may have security risks. |
All reports will be reviewed based on the impact and severity of the reported vulnerability. Any qualifying report that results in a change being made will at a minimum receive the Hall of Fame recognition.
The main categories of vulnerabilities that we are concerned about are:
- Cross-site Scripting (XSS)
- Cross-site Request Forgery (CSRF)
- Server-Side Request Forgery (SSRF)
- SQL Injection
- Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Access Control Issues (Insecure Direct Object Reference issues, etc.)
- Exposed Administrative Panels that without strong protection
- Directory Traversal Issues
- Local File Disclosure (LFD)
- Vast Users’ Sensitive Information Leakage
- Vast Order details Leakage
Test Plan
You can use a QQ or Wechat account to log into all Tencent’s assets.
-
To register a QQ account, please go to https://ssl.zc.qq.com/v3/index-en.html?type=0 and follow the instructions.
-
To register a Wechat account, please download an WeChat app from App store or through Android system, then follow the registration guide.
Once you have a QQ or WeChat account, you can start testing.
Out-of-Scope Vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope (either ineligible or false positives):
- "Self" XSS
- Session fixation
- Content Spoofing
- Missing cookie flags
- SSL/TLS best practices
- Mixed content warnings
- Clickjacking/UI redressing
- Flash-based vulnerabilities
- Admin panel can be brute force
- Local denial of service of Mobile APP
- Reflected file download attacks (RFD)
- Physical or social engineering attacks
- Feedback,comment,message,etc. flooding
- SMS/Email flooding for some of our business
- CSRF/XSS with long or unpredictable parameter
- Login/logout/unauthenticated/low-impact CSRF
- Unverified Results of automated tools or scanners
- No SPF/DMARC in non-email domains/subdomains
- Attacks requiring MITM or physical access to a user's device
- Issues related to networking protocols or industry standards
- Error information disclosure that cannot be used to make a direct attack
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Information leakage that cannot be used to make a direct attack,like server IP,server version,path,error message,internal IP,etc.
Detecting SSRF
We have set up a "demo" service for SSRF testing. If you believe you have an SSRF in production, please use either of the following IP/port combinations for testing:
http://10.204.9.230:80 aka http://tst.qq.com/flag.html
This service will accept HTTP requests to any endpoint, of any request type, and will return a secret token in both headers and response body.
Reward
Asset value | CVSS | CVSS | CVSS | CVSS |
---|---|---|---|---|
$32 | $130 | $780 | $6,425 |
Scopes
Scope | Type | Asset value | Expand rewards grid |
---|---|---|---|
In-Scope Products (for the full list please visit https://en.security.tencent.com/index.php/policy) | other | ||
Low Medium High Critical |
Out of scopes
- Please note that the vulnerabilities reported for the following assets will not be eligible for bounties.
- *.qzoneapp.com
- *. myqcloud.com
- Third-party applications and websites
- *Notes about Tencent Cloud (cloud.tencent.com as included in *.tencent.com)
- Only vulnerabilities affecting the platform itself and IP owned by Tencent will be accepted. If an IP belongs to Tencent Cloud external customer, it is not considered in scope.
Vulnerability types
Qualifying vulnerabilities
- Cross-site Scripting (XSS)
- Cross-site Request Forgery (CSRF)
- Server-Side Request Forgery (SSRF)
- SQL Injection
- Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Access Control Issues (Insecure Direct Object Reference issues, etc.)
- Exposed Administrative Panels that without strong protection
- Directory Traversal Issues
- Local File Disclosure (LFD)
- Vast Users’ Sensitive Information Leakage
- Vast Order details Leakage
Non-qualifying vulnerabilities
- "Self" XSS
- Session fixation
- Content Spoofing
- Missing cookie flags
- SSL/TLS best practices
- Mixed content warnings
- Clickjacking/UI redressing
- Flash-based vulnerabilities
- Admin panel can be brute force
- Local denial of service of Mobile APP
- Reflected file download attacks (RFD)
- Physical or social engineering attacks
- Feedback,comment,message,etc. flooding
- SMS/Email flooding for some of our business
- CSRF/XSS with long or unpredictable parameter
- Login/logout/unauthenticated/low-impact CSRF
- Unverified Results of automated tools or scanners
- No SPF/DMARC in non-email domains/subdomains
- Attacks requiring MITM or physical access to a user's device
- Issues related to networking protocols or industry standards
- Error information disclosure that cannot be used to make a direct attack
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Information leakage that cannot be used to make a direct attack,like server IP,server version,path,error message,internal IP,etc.
Hunting requirements
Account access
To expand its community of researchers and recruit global talent, Tencent is partnering YesWeHack to run its Bug Bounty Program.
Please note that the program will be externally hosted on the Tencent Security Response Centre (TSRC) and Tencent will only be accepting report submissions through the TSRC platform. Rewards offered on TSRC are entirely driven and decided by Tencent.
If you believe you have discovered a vulnerability, kindly disclose to Tencent responsibly and we’ll work with you to ensure we remediate the issue to the best of our ability.
Contact Tencent
For any questions or clarifications, you may contact the Tencent Security Team at security@tencent.com.
Other links:
- Tencent Security Response Centre
- WeChat Account ID: tsrc_team
User agent
Please append to your user-agent header the following value: ' -BugBounty-tencent-31337 '.
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.